b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       Improvements Needed in\n       EPA\xe2\x80\x99s Efforts to Replace Its\n       Core Financial System\n       Report No. 11-P-0019\n\n       November 29, 2010\n\x0cReport Contributors:                          Rudolph M. Brevard\n                                              Charles M. Dade       \n\n                                              Andrew Gibson        \n\n\n\n\n\nAbbreviations\n\nEPA          U.S. Environmental Protection Agency\nFFMSR        Federal Financial Management Systems Requirements\nFMLoB        Financial Management Line of Business\nFSIO         Financial Systems Integration Office\nIFMS         Integrated Financial Management System\nIV&V         Independent Verification and Validation\nJFMIP        Joint Financial Management Improvement Program\nOCFO         Office of the Chief Financial Officer\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nPAT          Product Acceptance Testing\nPMA          President\xe2\x80\x99s Management Agenda\nSLCM         Systems Life Cycle Management\n\x0c                                                                                                              11-P-0019\n                                                                                                       November 29, 2010\n                        U.S. Environmental Protection Agency\n                        Office of Inspector General\n\n\n                        At a Glance\n                                                                                Catalyst for Improving the Environment\n\nWhy We Did This Review\n                                   Improvements Needed in EPA\xe2\x80\x99s Efforts to\nWe sought to evaluate whether      Replace Its Core Financial System\nthe Office of the Chief\nFinancial Officer (OCFO)\n                                    What We Found\neffectively managed the system\ndevelopment project to replace\n                                   OCFO\xe2\x80\x99s management control processes do not ensure compliance with EPA\xe2\x80\x99s\nthe U.S. Environmental\n                                   Systems Lifecycle Management policies and procedures. Such compliance is\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)\n                                   necessary to provide reasonable assurance that efforts to replace the Agency\xe2\x80\x99s core\ncore financial system, the\n                                   financial system achieve the desired results. EPA\xe2\x80\x99s system development policies and\nIntegrated Financial\n                                   procedures identify specific activities and documents required during a system\nManagement System (IFMS).\n                                   development project. However, OCFO\xe2\x80\x99s internal control environment does not\nWe also sought to evaluate\n                                   enforce these policies and procedures. OCFO proceeded with the design subphase of\nwhether the system\n                                   the system project without obtaining executive management approval of the updated\ndevelopment project is\n                                   system requirements or developing and obtaining the required approval of test plans\nachieving the desired results.\n                                   to ensure the system will meet Agency needs. Furthermore, OCFO did not\n                                   predetermine the acceptable product acceptance test script failure percentages to be\nBackground\n                                   used as the basis for management\xe2\x80\x99s go/no-go decision to proceed with using the\nIn 1989, EPA implemented           evaluated product. These conditions could result in a system that does not meet\nIFMS as its core financial         management\xe2\x80\x99s expectations and EPA\xe2\x80\x99s needs, and/or does not comply with all\nmanagement and budget              applicable federal and EPA requirements.\nexecution system. In 2001,\nEPA began the process to            What We Recommend\nreplace IFMS. EPA selected a\ncommercial-off-the-shelf core      We recommend that the Chief Financial Officer develop and implement formal\nfinancial system certified by      procedures for future projects to ensure that the requirements document(s) and test\nthe General Services               plans are authorized by executive management prior to approving the system to move\nAdministration Financial           into the next phase of the lifecycle. We recommend that any subsequent changes to\nSystems Integration Office.        the requirements document(s) and/or test plans be authorized by executive\n                                   management prior to making changes to the design of the system.\nFor further information, contact\nour Office of Congressional,\nPublic Affairs and Management\n                                   We also recommend that the Chief Financial Officer develop and implement formal\nat (202) 566-2391.                 procedures to ensure that the test plan associated with product acceptance testing, or\n                                   any other test on which management relies, includes criteria that define what\nTo view the full report,           constitutes pass or failure to ensure that management has a basis for making go/no-go\nclick on the following link:       decisions.\nwww.epa.gov/oig/reports/2011/\n20101129-11-P-0019.pdf\n                                   The Agency agreed with the recommendations with agreed-upon corrective actions\n                                   pending.\n\x0c                 UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                              WASHINGTON, D.C. 20460\n\n\n                                                                                 THE INSPECTOR GENERAL\n\n\n\n\n                                        November 29, 2010\n\nMEMORANDUM\n\nSUBJECT:\t              Improvements Needed in EPA\xe2\x80\x99s Efforts to\n                       Replace Its Core Financial System\n                       Report No. 11-P-0019\n\n\nFROM:                  Arthur A. Elkins, Jr.\n                       Inspector General\n\nTO:    \t               Barbara Bennett\n                       Chief Financial Officer\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nThe estimated cost of this report, calculated by multiplying the project\xe2\x80\x99s staff days and expenses\nby the applicable daily full cost billing rates in effect at the time, is $136,849.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates. Your response will be posted on the OIG\xe2\x80\x99s public website,\nalong with our memorandum commenting on your response. Your response should be provided\nas an Adobe PDF file that complies with the accessibility requirements of section 508 of the\nRehabilitation Act of 1973, as amended. The final response should not contain data that you do\nnot want to be released to the public; if your response contains such data, you should identify the\ndata for redaction or removal. We have no objections to the further release of this report to the\npublic. We will post this report to our website at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Patricia H. Hill at\n202-566-0894 or hill.patricia@epa.gov, or Rudolph M. Brevard at 202-566-0893 or\nbrevard.rudy@epa.gov.\n\x0cImprovements Needed in EPA\xe2\x80\x99s Efforts to                                                                                          11-P-0019\nReplace Its Core Financial System\n\n\n\n\n                                         Table of Contents \n\nPurpose .............................................................................................................................    1\n\n\nBackground .......................................................................................................................        1        \n\n\nScope and Methodology ..................................................................................................                  2        \n\n\nFindings .............................................................................................................................    2\n\n\n           Key Requirements Phase Documentation Not Authorized \n\n                Before Moving Into Design Subphase...........................................................                             2\n\n           Product Acceptance Criteria Not Defined Before Testing .......................................                                 3\n\n\nRecommendations............................................................................................................               4\n\n\nAgency Comments and OIG Evaluation .........................................................................                             4         \n\n\nStatus of Recommendations and Potential Monetary Benefits....................................                                             5\n\n\n\n\nAppendices \n\n     A Summary of Issues That May Have Contributed to Delays...............................                                              6         \n\n\n     B Overview of EPA\xe2\x80\x99s System Life Cycle Management Phases ............................                                                9         \n\n\n     C Agency Response .................................................................................................                 10    \n\n\n     D Distribution ............................................................................................................         13    \n\n\x0cPurpose\n            We sought to evaluate whether the Office of the Chief Financial Officer (OCFO)\n            effectively managed the information technology project to replace the U.S.\n            Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) core financial system, the Integrated\n            Financial Management System (IFMS). We also sought to evaluate whether the\n            system development project is achieving the desired results.\n\nBackground\n\n            Based on requirements and demands placed on EPA by internal and external\n            stakeholders, EPA decided to explore new core financial system options. The\n            Financial Replacement Systems investment is OCFO\xe2\x80\x99s ongoing modular approach\n            to replacing its legacy financial systems, which include IFMS. EPA implemented\n            IFMS in 1989 as its management and budget execution system.\n\n            In February 2001, EPA hired a contractor to conduct an analysis of the Agency\xe2\x80\x99s\n            current financial systems and document the results in a strategic assessment. This\n            assessment initiated the exploration for a new application. In January 2006, EPA\n            issued a request for proposal to obtain bids for the project. EPA selected a\n            commercial-off-the-shelf core financial system that is certified by the General\n            Services Administration Financial Systems Integration Office (FSIO).\n\n            EPA issued its Systems Life Cycle Management (SLCM) policy to promote\n            effective and efficient processes for designing and operating information systems.\n            Consistent with the policy, EPA\xe2\x80\x99s SLCM procedure requires periodic,\n            documented, management-level review of projects by the sponsoring office. The\n            procedure requires program managers to oversee activities and establishes key\n            opportunities to review development as the project progresses. These EPA policy\n            documents define major decision points as \xe2\x80\x9ccontrol gates.\xe2\x80\x9d The SLCM procedure\n            requires the system manager to provide the required SLCM documentation to\n            senior management for approval at each control gate. The procedure then requires\n            senior management to make a go/no-go decision based on a review to ensure the\n            required work products for each control gate are completed, approved, and\n            verified. The policy and procedure also dictate that a system cannot move to the\n            next phase without a go decision for the specific control gate.\n\n            Many internal and external issues occurred during the lifecycle of this project,\n            resulting in baseline changes and schedule delays. Appendix A highlights some of\n            the issues that appear to have significantly altered the course of this project. The\n            OCFO Office of Technology Solutions is managing the implementation of EPA\xe2\x80\x99s\n            SLCM processes for this project. See appendix B for specific details of EPA\xe2\x80\x99s\n            SLCM phases, subphases, and control gates.\n\n\n\n\n11-P-0019                                                                                     1\n\x0cScope and Methodology\n            We conducted this audit from January through September 2010, at EPA\n            headquarters in Washington, DC. We conducted the audit in accordance with\n            generally accepted government auditing standards. These standards require that\n            we plan and perform the audit to obtain sufficient and appropriate evidence to\n            provide a reasonable basis for our findings and conclusions based on our audit\n            objectives. We believe the evidence obtained provides a reasonable basis for our\n            findings and conclusions.\n\n            We performed a limited review of the status of the SLCM processes the Agency\n            had undergone up to this point to replace IFMS. According to the project\n            manager, at the start of the audit, the Agency had just moved into the design\n            subphase of the acquisition/development phase of the SLCM process. We\n            considered relevant internal controls associated with the objectives of our review.\n            We reviewed system lifecycle documentation and interviewed Agency personnel\n            involved with the replacement system project. We did not look in detail at any\n            specific subphase of the SLCM process, but rather evaluated the applicable\n            documentation to assess compliance with EPA\xe2\x80\x99s SLCM procedures. For example,\n            we did not test the adequacy of system requirements but rather verified whether\n            EPA defined and authorized them.\n\nFindings\n            OCFO\xe2\x80\x99s management control processes do not ensure compliance with EPA\xe2\x80\x99s\n            SLCM policies and procedures necessary to provide reasonable assurance that\n            efforts to replace the Agency\xe2\x80\x99s core financial system achieve the desired results.\n            OCFO proceeded with the design subphase without obtaining executive\n            management\xe2\x80\x99s approval of the revised requirements or developing and obtaining\n            required approval of the associated test plans as required by EPA\xe2\x80\x99s SLCM\n            procedure. Furthermore, OCFO did not predetermine the acceptable product\n            acceptance test (PAT) script failure percentages to be used as the basis of\n            management\xe2\x80\x99s go/no-go decision on the project. These conditions could result in a\n            system that does not meet management\xe2\x80\x99s expectations and EPA\xe2\x80\x99s needs, and/or\n            does not comply with all applicable federal and EPA requirements.\n\n            Key Requirements Phase Documentation Not Authorized Before\n            Moving Into Design Subphase\n\n            In October 2008, the acting director for the Office of Enterprise Technology\n            Innovations issued, and the deputy chief financial officer approved, a decision\n            memorandum directing the project team to proceed to the design subphase prior to\n            completing key activities in the requirements subphase. OCFO proceeded to the\n            acquisition/development phase\xe2\x80\x99s design subphase of implementation without\n            solidifying requirements or developing and approving test plans. Without\n\n\n11-P-0019                                                                                    2\n\x0c            solidified requirements, it is difficult for OCFO to create test plans that ensure\n            that the system meets the needs of the Agency.\n\n            According to Agency policies and procedures, the requirements document(s) and\n            test plans must be completed and approved by executive management prior to\n            moving from the requirements subphase into subsequent phases of the system\xe2\x80\x99s\n            lifecycle. Also, any subsequent changes to either the requirements or test plans\n            must be authorized by executive management prior to making changes to the\n            design of the system. OCFO did not receive approval to make changes to its\n            requirements from the Change Control Board until May 2010, over a year and a\n            half after OCFO had moved into the design subphase.\n\n            The system manager must ensure that specific, complete, measurable, and testable\n            requirements and associated test plans are developed and approved by executive\n            management prior to moving from the requirements subphase to subsequent\n            phases. Additionally, the system manager must ensure that any changes to the\n            requirements and/or test plans in subsequent phases are approved by executive\n            management prior to making changes to the design. If specific, complete,\n            measurable, and testable requirements and test plans are not developed, EPA\n            cannot be sure that all requirements are met.\n\n            Product Acceptance Criteria Not Defined Before Testing\n\n            OCFO did not establish thresholds for PAT success or failure on which\n            management would make a go/no-go decision prior to executing the test.\n            According to the contract:\n\n                   The awardee shall conduct a PAT using the configuration that\n                   demonstrates the solution meets the requirements indicated as met\n                   \xe2\x80\x9cout of the box\xe2\x80\x9d in the awardee\xe2\x80\x99s response to the Requirements\n                   Matrix. The awardee shall complete the PAT within the timeframe\n                   and acceptance metrics proposed by the Awardee and accepted by\n                   the Government.\n\n            Without predefined test criteria, OCFO did not have objective measures to ensure\n            that the intent of the PAT was met and the out-of-the-box system met the\n            requirements as indicated by the contractor.\n\n            Additionally, OCFO could not provide a test plan approved by senior\n            management that defined and documented the test (purpose, requirements, test\n            scripts, the criteria associated with the results to be applied for making the go/no-\n            go decision, etc.). Such a test plan should have been developed and approved by\n            executive management prior to the acquisition/development phase (the phase in\n            which the PAT occurred). The lack of predefined test result thresholds for\n            pass/failure on the PAT scripts could result in a product that requires significant\n            customization to meet Agency requirements.\n\n11-P-0019                                                                                        3\n\x0cRecommendations\n            We recommend that the Chief Financial Officer:\n\n               1.\t Develop and implement formal procedures for future projects to ensure\n                   that:\n\n                   a.\t the requirements document(s) and test plans are authorized by\n                       executive management (as a part of the definition phase\xe2\x80\x99s\n                       requirements subphase) prior to approving the system to move into the\n                       next phase of the lifecycle, and\n                   b.\t any subsequent changes to the requirements document(s) and/or test\n                       plans are authorized by executive management prior to making\n                       changes to the design of the system.\n\n               2.\t Develop and implement formal procedures to ensure that the test plan\n                   associated with PAT or any other test includes criteria that define what\n                   constitutes pass or failure to ensure that management has a basis for\n                   making go/no-go decisions.\n\nAgency Comments and OIG Evaluation\n            In its October 12, 2010, response to the draft audit report, OCFO agreed with our\n            recommendations. OCFO is planning to take actions to improve its processes\n            related to our findings and recommendations. OCFO indicated that it plans to\n            develop a checklist to identify, track, and monitor the requirements approval\n            process and provide training on the procedures for obtaining executive\n            management\xe2\x80\x99s approval for changes to requirements and test plans. OCFO also\n            plans to develop processes, revise existing procedures, and provide training\n            associated with go/no-go decisionmaking criteria and ensure that the criteria are\n            defined and approved prior to the start of work. We consider all of the\n            recommendations open with agreed-upon corrective actions pending. The\n            Agency\xe2\x80\x99s complete response is provided in appendix C.\n\n\n\n\n11-P-0019                                                                                     4\n\x0c                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                          POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                        BENEFITS (in $000s)\n\n                                                                                                              Planned\n    Rec.    Page                                                                                             Completion   Claimed    Agreed-To\n    No.      No.                          Subject                        Status1      Action Official           Date      Amount      Amount\n\n     1        4     Develop and implement formal procedures for             O      Chief Financial Officer\n                    future projects to ensure that:\n                     a. the requirements document(s) and test plans\n                        are authorized by executive management (as\n                        a part of the definition phase\xe2\x80\x99s requirements\n                        subphase) prior to approving the system to\n                        move into the next phase of the lifecycle, and\n                     b. any subsequent changes to the requirements\n                         document(s) and/or test plans are authorized\n                         by executive management prior to making\n                         changes to the design of the system.\n\n     2        4     Develop and implement formal procedures to              O      Chief Financial Officer\n                    ensure that the test plan associated with PAT or\n                    any other test includes criteria that define what\n                    constitutes pass or failure to ensure that\n                    management has a basis for making go/no-go\n                    decisions.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n    11-P-0019                                                                                                                               5\n\x0c                                                                                                            Appendix A\n\n                     Summary of Issues That May Have \n\n                         Contributed to Delays \n\nA number of events occurred during the system development project that slowed the project\xe2\x80\x99s\nprogress. Each is shown in the timeline below (figure A-1) and explained in the text that follows.\n\n Figure A-1: Financial Replacement System chronological project roadblocks\n\n\n                           Agency Policies and Procedures Evolved\n\n                                                 Project Management Turned Over\n\n\n                                                              Financial Management\n\n                                                                      Line of\n\n                                                              Business Established\n\n\n\n                                                                            Federal\n                                                                           Financial\n                                                                         Management\n                                                                            System\n                                                                         Requirements\n                                                                           Changed\n\n                                                                                     Bid Protest\n                                                                                       Lodged\n\n                                                                                                     System\n                                                                                                  Development\n                                                                                                 Model Changed\n     2000\n\n\n\n              2001\n\n\n\n                         2002\n\n\n\n                                  2003\n\n\n\n                                          2004\n\n\n\n                                                       2005\n\n\n\n                                                                  2006\n\n\n\n                                                                              2007\n\n\n\n                                                                                          2008\n\n\n\n                                                                                                     2009\n\n\n\n                                                                                                                 2010\n\n\n                                                  Calendar Year\n\n Source: OIG analysis.\n\n\n\n\nAgency Policies and Procedures Evolved\nThroughout the lifecycle of this project, EPA governed its systems development activities under\nmultiple, evolving systems lifecycle management procedures. When the project began in 2001,\nEPA policy for SLCM was documented in the Information Resources Management Manual\nChapter 17, Systems Life Cycle Management, issued August 28, 1994. An Interim Agency\nSLCM Procedure, which was approved on April 29, 2005, and the SLCM Procedure, which was\napproved on June 28, 2007, superseded the Information Resources Management Manual.\n\n\n 11-P-0019                                                                                                              6\n\x0cDifferences in these documents may have contributed to delays throughout the lifecycle of this\nproject. In the 2005 and 2007 SLCM procedures, the SLCM is broken into the following phases:\n\n   \xef\x82\xb7   Definition phase\n   \xef\x82\xb7   Development or acquisition phase (2005 procedure)\n       Acquisition/development phase (2007 procedure)\n   \xef\x82\xb7   Implementation phase\n   \xef\x82\xb7   Operations and maintenance phase\n   \xef\x82\xb7   Termination phase\n\nThe 2007 SLCM procedure documents the same phases but broke down some of the phases into\nsubphases and established control gates to which the Agency must adhere. The subphases for the\ndefinition phase are concept exploration, system planning, and requirements. The acquisition and\ndevelopment subphases are acquisition, design, development, and test.\n\nProject Management Turned Over\nSince this project began, persons holding project management responsibility on the Financial\nSystem Modernization Project have retired or left to pursue other opportunities. Loss of expertise\nand knowledge over the lifetime of the project has presented challenges in maintaining artifacts\nas well as understanding undocumented thought processes.\n\nFinancial Management Line of Business Established\nA major hurdle that the Agency faced during the procurement was deciding which procurement\nvehicle to use as well as ensuring that the process was competitive and complied with federal\nprocurement regulations and the federal government\xe2\x80\x99s implementation of the Financial\nManagement Line of Business (FMLoB) initiative established by the Office of Management and\nBudget (OMB).\n\nIn 2001, President Bush created the President\xe2\x80\x99s Management Agenda (PMA) to address the need\nfor citizen-centered, results-oriented, and market-based federal government initiatives. The\nsuccess of the PMA depended on federal agencies working as a team across traditional\nboundaries to better serve the American people by focusing on citizens rather than individual\nagency needs. Pursuant to the PMA, OMB created the lines-of-business initiatives, which\naddress redundant information technology investments and business processes across the federal\ngovernment. The lines-of-business initiatives afforded agencies an unprecedented opportunity to\ninfluence the direction of specific core business functions government-wide. The FMLoB was\ncreated as part of these initiatives. FSIO, within the General Services Administration Office of\nTechnology Strategy, is the program manager for FMLoB.\n\nIn June 2005, EPA issued the initial acquisition strategy for the replacement system project,\nstating that it planned to use a General Services Administration schedule to issue a blanket\npurchase agreement for services needed for the replacement system project. In fall 2005, OMB\nbegan to issue guidance directing agencies to use commercial vendors or the center of excellence\n\n\n 11-P-0019                                                                                     7\n\x0cvendors for implementation as well as hosting services In January 2006, EPA revised its\nacquisition strategy to address OMB\xe2\x80\x99s guidance.\n\nFederal Financial Management System Requirements Changed\nEPA\xe2\x80\x99s original requirements were documented under the Joint Financial Management\nImprovement Program (JFMIP) Federal Financial Management Systems Requirements\n(FFMSR), in place in October 2005 when the original solicitation package was put together. The\nJFMIP principals voted to modify the roles and responsibilities of the JFMIP and established\nFSIO within the General Services Administration, which was formerly known as the JFMIP staff\noffice. FSIO issued new FFMSRs in 2006, which replaced the associated JFMIP FFMSRs. In\nAugust 2009, OCFO underwent a process to recertify the requirements to ensure compliance\nwith the new FSIO FFMSRs, among other inputs.\n\nBid Protest Lodged\nA bid protest over the contract award associated with this project also added to the delays. EPA\nawarded the contract on February 12, 2007. One of the unsuccessful vendors filed a bid protest\non February 26, 2007. The U.S. Government Accountability Office sustained/approved the bid\nprotest on June 4, 2007. The award protest was resolved on April 10, 2008, and the first task\norder was issued on May 6, 2008.\n\nSystem Development Model Changed\nThe decision to begin the implementation with the Rapid Prototype Life Cycle system\ndevelopment model in 2005 and then to change to the spiral model in 2008 may have contributed\nto some of the Agency\xe2\x80\x99s time lags and schedule delays.\n\nIn a rapid prototype development effort, an initial set of system requirements is translated into a\ntest environment, and end users provide feedback. The feedback may lead to changes in\nconfiguration, business process reengineering, or other modifications. While every attempt will\nbe made to minimize customizations to the commercial software, some customizations may be\nneeded. The process of building, using, evaluating, and refining goes through several iterations\nbefore the system is ready for deployment. As the project progresses, the rapid prototype model\nmay be tailored.\n\nThe Spiral Life Cycle Model encompasses the best features of both the Waterfall Life Cycle and\nprototyping models, while simultaneously adding a new element: risk analysis. The model\ndivides the software engineering space into four quadrants: planning, risk analysis, engineering,\nand customer evaluation.\n\n\n\n\n 11-P-0019                                                                                        8\n\x0c                                                                                     Appendix B\n\n                       Overview of EPA\xe2\x80\x99s \n\n             System Life Cycle Management Phases \n\nEPA\xe2\x80\x99s system lifecycle consists of five phases. The objective of each phase is to ensure sound\nproject planning and management practices throughout the system lifecycle. Figure B-1 depicts\nthese phases and provides a context in relation to EPA\xe2\x80\x99s enterprise architecture, capital planning\nand investment control, and security processes. The diagram also identifies the principal\nexecutive-level reviews (control gate reviews) that apply during the system lifecycle.\n\nFigure B-1: EPA\xe2\x80\x99s Lifecycle Management Framework\n\n\n\n\nSource: EPA\xe2\x80\x99s System Life Cycle Management (SLCM) Procedure (2121-P-01.0), June 28, 2007, p. 8.\n\n\n\n\n 11-P-0019                                                                                        9\n\x0c                                                                                 Appendix C\n\n                             Agency Response\n                               October 12, 2010 (date stamped)\n\n\n\n\nMEMORANDUM\n\nSUBJECT: \t    Response to the Office of the Inspector General Draft Audit Report,\n              \xe2\x80\x9cImprovements Needed in EPA\xe2\x80\x99s Efforts to Replace Its Core Financial System,\xe2\x80\x9d\n              Project Number OMS-FY10-0006, dated September 9, 2010\n\nFROM: \t       Barbara J. Bennett /s/\n              Chief Financial Officer\n\nTO: \t         Rudolph M. Brevard\n              Director, Information Resources Management Assessments\n              Office of Missions Systems\n              Office of Inspector General\n\n       Thank you for the opportunity to review and comment on the draft audit report entitled,\n\xe2\x80\x9cImprovements Needed in EPA\xe2\x80\x99s Efforts to Replace Its Core Financial System, Project Number\nOMS-FY10-0006.\xe2\x80\x9d I would like to express my appreciation to you and your staff for working\ncollaboratively with OCFO to ensure the report\xe2\x80\x99s factual accuracy and provide recommendations\nto improve OCFO processes.\n\n       The Office of Inspector General issued the following two recommendations. OCFO\xe2\x80\x99s\nresponses follow each recommendation:\n\nReport Recommendation 1:\n\n   \xef\x82\xb7\t Develop and implement formal procedures for future projects to ensure that:\n         o\t the requirements document(s) and test plans are authorized by executive\n            management (as a part of the definition phase\xe2\x80\x99s requirements subphase) prior\n            to approving the system to move into the next phase of the lifecycle, and\n         o\t any subsequent changes to the requirements document(s) and/or test plans are\n            authorized by executive management prior to making changes to the design of\n            the system.\n\n\n\n\n11-P-0019                                                                                  10\n\x0cOCFO Response:\n\n        OCFO agrees that the management control processes could have been more structured as\nthe project progressed and has taken steps to formalize its current requirements and management\napproval procedures. However, at no time did OCFO\xe2\x80\x99s management approval process\ncompromise the development of system requirements and test plans to provide reasonable\nassurance that EPA will achieve its desired results.\n\n        The draft report accurately described that revisions/changes made in the System\nLifecycle Management (SLCM) document and the related control gate impacted how OCFO\nprogressed in developing its new core financial system. OCFO used its program management\nsupport contractor to review the changes that occurred from the initial SLCM document in place\nat the beginning of the contract to its current version. The contractor identified the specific\nactions OCFO had taken that were different than the required actions in the initial SLCM. The\ncontractor further prepared a justification for an approval waiver, if warranted. Based on an\nIndependent Verification and Validation (IV&V) conducted by the Office of Environmental\nInformation (OEI), a waiver was deemed unnecessary because OCFO\xe2\x80\x99s actions and approach did\nnot materially compromise or change the eventual decision. The program management report for\nOCFO and the IV&V report from OEI are available for review.\n\n        The draft report portrayed the OCFO system requirements approval process less\nfavorably. OCFO took great strides to ensure that requirements were complete, measureable,\nand testable. OCFO documented and tracked requirements in a matrix that was reviewed and\napproved by senior management at key points. The draft report accurately identified OCFO\xe2\x80\x99s\nprogress in reviewing and revising its requirements as the project progressed. For example,\nOCFO worked with EPA\xe2\x80\x99s program and regional office subject matter experts to identify and\nconfirm that approximately 1,400 requirements satisfied EPA, Financial Management Line of\nBusiness (FMLoB), and Financial Systems Integration Office (FSIO) requirements. This\nbaseline set of requirements was an attachment to the formal OCFO acquisition in the Request\nfor Proposal. Due to subsequent changes to FSIO requirements and new Momentum\ncapabilities, OCFO continued its review and approval of system requirements. Rather than\nsubmitting a revised list of all the requirements for management\xe2\x80\x99s approval, EPA separated the\nrequirements into two categories: (1) no additional changes and/or approvals needed, and (2)\nchanges that required management approval through the OCFO Change Control Board.\nAlthough the draft report states that OCFO proceeded with the design subphase without\nobtaining executive management approval, OCFO based the design phase on requirements that\ndid not require additional management approvals.\n\n        To improve the requirements approval process and procedures for current and future\nOCFO projects, OCFO is developing a checklist to identify, track, and monitor those actions that\nrequire executive management approval. The OCFO project manager will see that the checklist\nis regularly utilized and maintained. OCFO will train its control account managers and other\nsubject matter experts working on the project on the procedures for obtaining executive\nmanagement approval over changes to requirements and test plans.\n\n\n\n\n11-P-0019                                                                                    11\n\x0c       Report Recommendation 2:\n\n   \xef\x82\xb7\t Develop and implement formal procedures to ensure that the test plan associated with\n      PAT or any other test includes criteria that define what constitutes pass or failure to\n      ensure that management has a basis for making go/no-go decisions.\n\nOCFO Response:\n\n        OCFO agrees that it should have followed a more formal process in identifying and\ndocumenting its PAT plan and the associated criteria for formulating a \xe2\x80\x9cgo/no go\xe2\x80\x9d decision on\nthe project. However, at no time did the PAT \xe2\x80\x9cgo/no-go\xe2\x80\x9d criteria: (1) incorrectly influence\nmanagement\xe2\x80\x99s decision to accept or not accept the Momentum product, (2) result in a system that\ncould not meet management\xe2\x80\x99s expectations and EPA\xe2\x80\x99s needs, and (3) result in the selection of a\nproduct that does not comply with applicable federal and EPA requirements.\n\n        OCFO worked with EPA\xe2\x80\x99s program and regional office subject matter experts to test and\nverify whether the Momentum product could meet EPA\xe2\x80\x99s critical requirements. The Momentum\nproduct was a commercial-off-the-shelf product that is in place in other government agencies.\nAccordingly, OCFO was fully aware that the Momentum product was an established suite and\nrelied on the success/failure criteria established by EPA\xe2\x80\x99s subject matter experts during their\nassessment of performance against test scripts during the PAT testing. The Momentum\ncontractor developed the test scripts with input from the EPA experts. In some cases, the test\nscript failed due to a missing step and not because the Momentum software could not meet the\nEPA requirement. Accordingly, EPA allowed some test scripts to be revised and retested. The\nEPA control account manager made the decision to develop the \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision criteria\nbased on input from the EPA subject matter experts. OCFO documented the PAT results and\nmade a presentation to the Administrative System Architecture Steering Committee (ASA SC)\nthat serves as the Agency-level governance body for the project. Based on the information\nprovided, the ASA SC made the recommendation to the Deputy CFO, as the project sponsor, to\naccept the Momentum product and move forward with the project.\n\n        To improve its process for defining \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision making criteria, OCFO will\ndevelop processes and revise existing procedures to apply more rigorous use of test script results\nin driving \xe2\x80\x9cgo/no-go\xe2\x80\x9d decisions on current and future projects. We have done this with FSMP\nand will use the criteria in obtaining executive management go/no-go decisions. The OCFO\nproject manager will see that decision making criteria are developed based on test script pass/fail\nmetrics and approved prior to the start of the work. OCFO will train its control account\nmanagers and other subject matter experts working on the project on the appropriate evaluation\nof projects based on test script pass/fail measures. At present, EPA has applied the OIG\nrecommendation and established success/failure metrics and acceptance criteria for the upcoming\nUser Acceptance Testing phase of the Core Financial System implementation.\n\n\n\n\n11-P-0019                                                                                       12\n\x0c                                                                                  Appendix D\n\n                                     Distribution\nOffice of the Administrator\nChief Financial Officer\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nDirector, Office of Financial Management, Office of the Chief Financial Officer\nAudit Followup Coordinator, Office of the Chief Financial Officer\n\n\n\n\n11-P-0019                                                                                 13\n\x0c'